Merge pull request #60 from Laravel-Backpack/prevent-mimes-tampering

prevent mime types tampering

Author: pxpm

src/BackpackElfinderController.php

@@ -11,14 +11,23 @@ public function showPopup($input_id)
     {
         $mimes = request('mimes');
 
+        if (! isset($mimes)) {
+            Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
+            abort(403, 'Unauthorized action.');
+        }
+
         try {
             $mimes = Crypt::decrypt(urldecode(request('mimes')));
         } catch (\Illuminate\Contracts\Encryption\DecryptException $e) {
             Log::error('Someone attempted to tamper with mime types in elfinder popup. The attempt was blocked.');
             abort(403, 'Unauthorized action.');
         }
 
-        request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        if (! empty($mimes)) {
+            request()->merge(['mimes' => urlencode(serialize($mimes))]);
+        } else {
+            request()->merge(['mimes' => '']);
+        }
 
         return $this->app['view']
             ->make($this->package.'::standalonepopup')